Analysis Overview
SHA256
5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e
Threat Level: Known bad
The file 5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Loads dropped DLL
Detects Pyinstaller
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-02-03 11:33
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-03 11:33
Reported
2024-02-03 11:35
Platform
win7-20231215-en
Max time kernel
142s
Max time network
121s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
"C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
"C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29922\python27.dll
| MD5 | 45281d04797e659305456db41a09ff44 |
| SHA1 | f858b38ca00a1330484019211d33171f74217ebb |
| SHA256 | 929187605f9dc41c38cb6886a63ee3d8629b5de6c57ad079ed53dce1ddc7c253 |
| SHA512 | 8fa0d3bb946b50050eaa5d7bd2b227336fcba3280d793bcfd748072b8952f948ae930051fef09e4c30908a9e0f286c001d9641b828bac894060d413bc2d8d655 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\MSVCR90.dll
| MD5 | 552cf56353af11ce8e0d10ee12fdcd85 |
| SHA1 | 6ab062b709f851a9576685fe0410ff9f1a4af670 |
| SHA256 | e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012 |
| SHA512 | 122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\_ctypes.pyd
| MD5 | f5ec0b24dfc7952241c7a86abfb61455 |
| SHA1 | 84176ec5d9f6d106a3ac1724539dfccb7c4c6c33 |
| SHA256 | 6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191 |
| SHA512 | 91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\_hashlib.pyd
| MD5 | c94e5379dc430bc98b676260a929c1c6 |
| SHA1 | 11305c38d58b104a2bd834925bf44930a41a416c |
| SHA256 | 11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d |
| SHA512 | d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20 |
C:\Users\Admin\AppData\Local\Temp\_MEI29922\https.exe.manifest
| MD5 | b23faae7b6a781b3ac05d62e7c13a1b6 |
| SHA1 | 36f48cc883a3e5007f9f3c153ef5bd3cb4d44573 |
| SHA256 | 0116dfb0aea4f3dd3d92f3aa3e1c3d9828667da79bfbd054ffe2b08742ae6563 |
| SHA512 | 7f42f66506c3f025760dc6123f56ef603338ba23c58b155d20eca053aa41448b25e6d9afcd1114d21a11d0fea40f6982d3dc4d0cf276579f71838fe1c5409721 |
memory/2992-20-0x0000000000400000-0x0000000000435000-memory.dmp
memory/636-21-0x0000000000400000-0x0000000000435000-memory.dmp
memory/636-35-0x0000000003030000-0x0000000003130000-memory.dmp
memory/636-34-0x00000000058C0000-0x0000000005D32000-memory.dmp
memory/636-42-0x0000000003030000-0x0000000003130000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-03 11:33
Reported
2024-02-03 11:35
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
132s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2808 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe | C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe |
| PID 2808 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe | C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
"C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
"C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baidu.611110.xyz | udp |
| US | 104.21.93.227:8443 | baidu.611110.xyz | tcp |
| US | 8.8.8.8:53 | 227.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.21.93.227:8443 | baidu.611110.xyz | tcp |
| US | 104.21.93.227:8443 | baidu.611110.xyz | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI28082\python27.dll
| MD5 | 2cd75024fff909a74b9c9feb4a5d5bb8 |
| SHA1 | 0926eed3d3e0bfc63180eab20f8492106687477d |
| SHA256 | 506bfc614c696af0c6788497e044a9b51c850f0876c97d8b5b6aa7fe901eb3aa |
| SHA512 | 371dcfa4b37e1e18af899d6754d4b414761c3f5e9a76b472d87d45039c97ca18e5af6ab38097897bb1d62670e677487a1bae50cdce628af85f0dfcf5566da5ca |
C:\Users\Admin\AppData\Local\Temp\_MEI28082\python27.dll
| MD5 | a0de15415c6ee39a684f59d9ee3d153f |
| SHA1 | 9905e821bea6157c6c7481189e3b9bf4a4bd50b4 |
| SHA256 | 2f293c524bcad84659ddb2b941bfb5e1dd6745f328da02b68886dbdaaab2ac7d |
| SHA512 | 426eadaaaf625602de54428fd791f986640f4087140150880ef76c88116c5182a63d95d470cb2fcda094bfa9ed11e925bc03bcc1afbc741e8c2a66c25d0ae37d |
C:\Users\Admin\AppData\Local\Temp\_MEI28082\https.exe.manifest
| MD5 | b23faae7b6a781b3ac05d62e7c13a1b6 |
| SHA1 | 36f48cc883a3e5007f9f3c153ef5bd3cb4d44573 |
| SHA256 | 0116dfb0aea4f3dd3d92f3aa3e1c3d9828667da79bfbd054ffe2b08742ae6563 |
| SHA512 | 7f42f66506c3f025760dc6123f56ef603338ba23c58b155d20eca053aa41448b25e6d9afcd1114d21a11d0fea40f6982d3dc4d0cf276579f71838fe1c5409721 |
C:\Users\Admin\AppData\Local\Temp\_MEI28082\_ctypes.pyd
| MD5 | f5ec0b24dfc7952241c7a86abfb61455 |
| SHA1 | 84176ec5d9f6d106a3ac1724539dfccb7c4c6c33 |
| SHA256 | 6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191 |
| SHA512 | 91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040 |
C:\Users\Admin\AppData\Local\Temp\_MEI28082\_hashlib.pyd
| MD5 | 0aab068bf3964f684cfd7e7557a8f4cd |
| SHA1 | 86c8b993128ecf8818e03149e29127dcc8883ccf |
| SHA256 | 0ce6ba11dc69141d7defe28b53c26b30476d1b05c7d033f5a72f3217a26804c9 |
| SHA512 | fea8aa9326703bc36475736a43564c33b3bcfeccf05823aabf27bd7dfd7f5e4cf30acea05b4d29011a002a3e9b334fee637f5c68aea5940d3c62c68f0bb8c42c |
C:\Users\Admin\AppData\Local\Temp\_MEI28082\_hashlib.pyd
| MD5 | 7110971ded3cbc101cdfd9a470f2a404 |
| SHA1 | 58b620084187002648dc05651c17e0d7c00cefcb |
| SHA256 | 251a3974c9a2751f17e37570dba006b7c8ca78c4b07917fc22f6f406eba74cc4 |
| SHA512 | 63260cc7ebc45e68fb45552fb820ec73cbb1777a91453c7cd00382b850706a2fe950becac5cae20385fb413efc1f11671096323ce067396e8b88a66a5bb39cf6 |
memory/2808-18-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4232-19-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4232-33-0x00000000000F0000-0x00000000001F0000-memory.dmp
memory/4232-32-0x0000000004BA0000-0x0000000005012000-memory.dmp
memory/4232-38-0x00000000000F0000-0x00000000001F0000-memory.dmp